Bucket Access Control
Each bucket is in a "scope" which determines to which entity the bucket belongs. It can be in the application scope, group scope, user scope or thing scope. This topic explains the access permissions of buckets.
The table below indicates the default ACL entries set at bucket creation. You can customize bucket ACLs with the ACL modification feature of the client SDKs and REST APIs.
Default permissions
Buckets have the following permissions by default. The rightmost "Modify ACL" column indicates the users who can update the ACL. Note that you cannot change the users who can modify the ACL.
| Scope | Create KiiObjects in the bucket (CREATE_OBJECTS_IN_BUCKET) |
Query KiiObjects in the bucket (QUERY_OBJECTS_IN_BUCKET) |
Modify ACL |
| Application | - Any authenticated users | - Any authenticated users - Anonymous users |
- App administrator |
| Group | - Group members - Group owner - Bucket creator |
- Group members - Group owner - Bucket creator |
- Group owner |
| User | - Scope owner - Bucket creator |
- Scope owner - Bucket creator |
- Scope owner |
| Thing | - Thing - Thing owner - Bucket creator |
- Thing - Thing owner - Bucket creator |
- Thing - Thing owner |
| Scope | Read KiiObjects in the bucket (READ_OBJECTS_IN_BUCKET) |
Drop the bucket (DROP_BUCKET_WITH_ALL_CONTENT) |
Modify ACL |
| Application | - Any authenticated users - Anonymous users |
- Any authenticated users | - App administrator |
| Group | - Group members - Group owner - Bucket creator |
- Group owner - Bucket creator |
- Group owner |
| User | - Scope owner - Bucket creator |
- Scope owner - Bucket creator |
- Scope owner |
| Thing | - Thing - Thing owner - Bucket creator |
- Thing - Thing owner - Bucket creator |
- Thing - Thing owner |
Here is a brief summary of bucket permissions applied in each scope:
In the application scope, any authenticated users are permitted to perform all bucket actions. Anonymous users are permitted to query and read KiiObjects in the bucket.
In the group scope, the group owner and bucket creator are permitted to perform all bucket actions. The group members are permitted to perform all bucket actions except for dropping the bucket.
In the user scope, the scope owner and bucket creator are permitted to perform all bucket actions.
In the thing scope, the thing, its owner, and the bucket creator are permitted to perform all bucket actions.
Additionally, note the following considerations:
- For the definitions of authenticated and anonymous users, see Subject.
- You can customize a permission to create a bucket by updating a scope's ACL. For more information about setting a scope's ACL, see Scope Access Control.
- You can customize a bucket's ACL also in the developer portal. For more information, see Changing an existing bucket's ACL.